nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 06:53:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

coturn: make setgroups conditional on privdrop codepath

Browse Source 
Make coturn only call setgroups, when it actually needs to privdrop. In
the nixos module we already run coturn as an unprivileged user, which
means we don't need to provide access to the setgroups syscall in the
first place.
This commit is contained in:
Martin Weinelt 2024-10-14 18:46:04 +02:00
parent 1815d5a7a7
commit 101d12296d
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/servers/coturn/default.nix
View File

@ -37,6 +37,10 @@ stdenv.mkDerivation rec {
patches = [
./pure-configure.patch
# Don't call setgroups unconditionally in mainrelay
# https://github.com/coturn/coturn/pull/1508
./dont-call-setgroups-unconditionally.patch
];
# Workaround build failure on -fno-common toolchains like upstream

46
pkgs/servers/coturn/dont-call-setgroups-unconditionally.patch Normal file
View File

@ -0,0 +1,46 @@
From 1b5da9c7c5423eed7a567a02e66c244705116724 Mon Sep 17 00:00:00 2001
From: networkException <git@nwex.de>
Date: Thu, 30 May 2024 02:07:04 +0200
Subject: [PATCH] Don't call `setgroups` unconditionally in mainrelay
This patch moves the call to `setgroups` from the beginning of the
`drop_priviliges` function to branch in which `setuid` is actually
called. This still fulfills the intention of
acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a, initially introducting
the call to `setgroups`:
> Fix related to POS36-C and rpmlint error
> "missing-call-to-setgroups-before-setuid".
As per this intention is is not required to call `setgroups`
otherwise, reducing the more exotic (as in not part of POSIX and
considered priviliged by systemd) system calls coturn needs to make
at startup.
---
src/apps/relay/mainrelay.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
index cf370ec8a..56eaf82d0 100644
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@@ -2913,7 +2913,6 @@ static void drop_privileges(void) {
#if defined(WINDOWS)
// TODO: implement it!!!
#else
- setgroups(0, NULL);
if (procgroupid_set) {
if (getgid() != procgroupid) {
if (setgid(procgroupid) != 0) {
@@ -2929,6 +2928,11 @@ static void drop_privileges(void) {
if (procuserid_set) {
if (procuserid != getuid()) {
+ if (setgroups(0, NULL) != 0) {
+ perror("setgroups: Unable drop supplementary groups");
+ exit(-1);
+ }
+
if (setuid(procuserid) != 0) {
perror("setuid: Unable to change user privileges");
exit(-1);